How to Configure Attachment Filtering
Microsoft Exchange Server 2007 will reach end of support on April 11, 2017. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.
Applies to: Exchange Server 2007, Exchange Server 2007 SP1, Exchange Server 2007 SP2, Exchange Server 2007 SP3
Topic Last Modified: 2016-11-10
This topic explains how to use the Exchange Management Shell to configure attachment filtering. Attachment filtering cannot be managed by using the Exchange Management Console.
Attachment filtering can block attachments from entering the Microsoft Exchange Server 2007 organization by attachment content type or by attachment file name. How the attachments are processed depends on how attachment filtering is configured.
|Configuration changes that you make to attachment filtering by using the Exchange Management Shell are made only to the local computer that has the Edge Transport server role installed. If you have multiple instances of the Edge Transport server role running in your organization, you must apply attachment filter configuration changes to each computer.|
By default, the Attachment Filter agent is enabled on the computer that has the Edge Transport server role installed. To determine whether the Attachment Filter agent is enabled, run the Get-TransportAgent cmdlet. For more information, see Get-TransportAgent.
To enable the Attachment Filter agent if it is not enabled, run the following command:
Enable-TransportAgent -Identity "Attachment Filtering agent"
For more information about the Enable-TransportAgent cmdlet, see Enable-TransportAgent.
As mentioned earlier in this topic, you can configure an attachment filter entry to filter attachments by attachment content type or by attachment file name.
MIME content types MIME content types indicate the attachment type, whether it is a JPEG image, an executable file, a Microsoft Office Excel 2003 file, or another file type. E-mail attachments are encoded in e-mail messages as ASCII text. E-mail servers and clients use the MIME content type information to decode the ASCII text information in an e-mail message and convert it into a usable binary file that is familiar to the user. Content types are expressed as
type/subtype. For example, the JPEG image content type is expressed as
For more information about MIME content types, see Request for Comments (RFC) 1341.
Note: The third-party Web site information in this topic is provided to help you find the technical information you need. The URLs are subject to change without notice.
File names You can specify attachment file names in the attachment filter lists with an exact file name, such as BadFilename.exe. Alternatively, you can specify any file name with a certain extension if you replace the part of file name that is to the left of the period with a wildcard character. An example how you can use a wildcard character in a file name is *.exe.
Before you add a new attachment filter entry, you must determine whether you want to filter by MIME content type or by file name. Your choice of attachment filter type depends on your business needs and policies.
Exchange 2007 lets you configure multiple attachment filters on each Edge Transport server. If you have more than one Edge Transport server that accepts e-mail that you want to filter, you must configure the same attachment filter on each Edge Transport server.
To add a new attachment filter that filters e-mail attachments that have a specific MIME content type, use the following command:
Add-AttachmentFilterEntry -Name <MIMEContentType> -Type ContentType
For example, if you want to filter all JPEG images by using an attachment filter, run the following command on each Edge Transport server:
Add-AttachmentFilterEntry -Name image/jpeg -Type ContentType
To add a new attachment filter that filters e-mail attachments based on a file name or file name extension, run the following command:
Add-AttachmentFilterEntry -Name <FileName> -Type FileName
For example, if you want to filter all e-mail attachments that have the file name extension EXE, run the following command:
Add-AttachmentFilterEntry -Name *.EXE -Type FileName
If you want to filter e-mail attachments that have a specific file name, you can specify that file name in the Name parameter when you specify the |
You configure attachment filtering for each Edge Transport server role. All attachment filter entries that run on an Edge Transport server role use the same attachment filtering behavior. The following parameters are available on each Edge Transport server role to configure attachment filtering behavior:
RejectResponse This parameter specifies the string response that is included in the non-delivery report (NDR) message if an e-mail message that has a filtered e-mail attachment is returned to the sender.
Action This parameter specifies how attachment filtering handles an attachment that matches an attachment filter entry. The default value is
Strip. Valid values include the following values:
Reject Use this value to prevent both the e-mail message and attachment from being delivered to the recipient and to issue a NDR failure message to the sender.
Strip Use this value to remove the attachment from the e-mail message. This value allows the message and other attachments that do not match an entry on the attachment block list to be delivered to the recipient. A notification that the attachment was blocked is added to the e-mail message.
SilentDelete Use this value to prevent both the e-mail message and attachment from being delivered to the recipient. A notification that the e-mail message and attachment were blocked is not returned to the sender.
To configure attachment filtering on an Edge Transport server role, use the Set-AttachmentFilterListConfig cmdlet. For example, the following command configures the RejectResponse parameter:
Set-AttachmentFilterListConfig -Action -Reject -RejectResponse "The attachment you included in your e-mail message was not allowed. Your e-mail message cannot be delivered. Please remove the e-mail attachment, and send your message again."
To perform this procedure on a computer that has the Edge Transport server role installed, you must log on by using an account that is a member of the local Administrators group on that computer.
For detailed syntax and parameter information for these commands, see the following topics: